Identity Management
Plain English Translation
ISO 27001 Annex A.5.16 requires organizations to strictly manage the entire lifespan of a digital identity, from the moment it is created (provisioning) to the moment it is deleted (deprovisioning). This applies not only to human employees but also to non-human identities like service accounts and bots. The goal is to ensure that only valid, authorized entities exist within your systems, eliminating 'ghost' accounts that could be exploited by attackers.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Enforce unique accounts for every user (no shared logins)
- Use a manual onboarding/offboarding checklist to create and delete accounts
Required Actions (scaleup)
- Implement a central Identity Provider (IdP) like Okta or Azure AD
- Automate account suspension immediately upon termination via HRIS integration
Required Actions (enterprise)
- Deploy Identity Governance and Administration (IGA) tools for lifecycle automation
- Implement automated rotation and management for non-human identities (service accounts/secrets)
It is an organizational control that mandates the management of the full lifecycle of identities, ensuring that digital identities are created, maintained, and removed securely.
The objective is to ensure that only authorized entities (human or non-human) have identities in the system and that these identities are removed immediately when no longer needed.
It involves the formal processes of registration (creation), provisioning (access assignment), maintenance (updates/changes), and de-provisioning (deletion/revocation) of identities.
Without managed identities, you cannot enforce access control (A.5.15) or accountability; unmanaged identities are a primary vector for breaches and insider threats.
A.5.16 manages the 'Subject' (the identity), while A.5.15 defines the 'Rules' for access, and A.5.18 manages the 'Privileges' assigned to that identity.
The 2022 version explicitly separates 'Identity Management' (A.5.16) from 'Access Rights' (A.5.18), placing greater emphasis on the lifecycle of the identity itself and including non-human actors.
Yes, it applies to service accounts, APIs, bots, and other technical identities, which must be managed with the same rigor as human users.
Common challenges include 'orphan' accounts left behind after termination, lack of visibility into service accounts, and manual, error-prone provisioning processes.
You need an Access Control Policy covering identity lifecycle, records of onboarding/offboarding (checklists), and logs showing identity creation and deletion.
By enforcing a policy that prohibits shared accounts and using technical controls (like SSO) to ensure each human or system has a unique, traceable identifier.
A.5.16 often fails in practice because teams lose visibility into where identities exist across cloud, SaaS, and infrastructure, leading to dormant or orphaned accounts. WatchDog Security's Asset Inventory helps by mapping identities to assets and services across environments, making it easier to spot accounts that no longer align to an active person, role, or system workload and prioritize cleanup.
Auditors typically want repeatable proof that identity lifecycle steps exist (joiner/mover/leaver) and that reviews happen on schedule, not just policy text. WatchDog Security's Compliance Center helps organize this by tracking the control status, flagging gaps (like missing access reviews or incomplete offboarding evidence), and centralizing supporting artifacts so teams can show consistent evidence of identity governance over time.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-17 | WatchDog Security GRC Team | Initial publication |
